Course Length:Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.

This class is limited to 20 students.

Because the class requires that a version of IDA Pro 4.8 or 4.9 be installed on the participant's laptop, you must purchase the software directly from DataRescue.

Analyzing Software for Security Vulnerabilities

Halvar Flake

What to bring:Students must bring their own laptop with a full version of IDA Pro 4.8 or 4.9 installed. Failure to do so will make participation impossible.

A decent knowledge of x86 assembly language and good knowledge of C is required. It is helpful to have experience with C++ and Python (for the automation part).

Several other tools will be provided on the CD (IDA Plugins, C Compiler, Source Analysis Helpers, IDC Scripts).

The C programming language gives the programmer a lot of rope to hang himself with - and C++ just adds to the featurelist. Both languages have an impressive number of subtle pitfalls, and many of these can be leveraged by a skilled attacker to execute code on a computer on which these vulnerable programs run. But while almost everybody seems to understand the significance of these programming mistakes, few actually sit down and analyze code from the security analysis perspective. This workshop focuses on teaching security-specific code-analysis, both in source and in binary form.

Day One: BasicsThe first day will start out with a thorough review of common (and not so common) security-critical bugs in C, and discuss a number of methodologies used for finding such mistakes. A few problems specific to C++ code will be covered, and tools that can help in the process of code analysis will be discussed.

As a next step, the connection between C/C++ and the generated assembly code will be treated: How do high-level-language features such as switch()-statements, conditionals, class inheritance etc. translate to the assembly level? How can a reverse engineer reconstruct parts of them?

Day Two:
AutomationThe second day is dedicated to semi-automation of the analysis process: Visualisation tools will be used to faciliate program understanding, IDAPython-scripts for structure/object reconstruction and other repetitive tasks will be created and used. Once we have a decent toolkit, we will start the analysis of a closed-source application in the hope of finding security bugs.

Trainer:

Halvar Flake is SABRE Labs' founder and Black Hat's resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined Black Hat as their main reverse engineer.

Course Length:Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.